CVE-2017-2860
An exploitable denial-of-service vulnerability exists in the lookup entry functionality of KeyTrees in Natus Xltek NeuroWorks 8. A specially crafted network packet can cause an out-of-bounds read, resulting in a denial of service. An attacker can send a malicious packet to trigger this vulnerability.
Natus Xltek NeuroWorks 8
7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-125 - Out-of-bounds Read
Natus NeuroWorks 8 provides a networking solution for the Natus Xltek EEG products. In particular, it is used to monitor and review study data from anywhere on the network. This advisory looks into the NWStorage service bundled with NeuroWorks.
The module used in this advisory is shown below:
0:000> lm vm List
start end module name
23000000 23012000 List (export symbols) c:\Neuroworks\List.dll
Loaded symbol image file: c:\Neuroworks\List.dll
Image path: c:\Neuroworks\List.dll
Image name: List.dll
Timestamp: Wed Nov 06 09:58:18 2013 (527A833A)
CheckSum: 0001779F
ImageSize: 00012000
File version: 8.0.1.1544
Product version: 8.0.1.1544
One of the key data structures in Neuroworks is the KeyTree. Internally, a KeyTree is a list of lists. The list and KeyTree structs are shown below:
KeyTree/List
char opcode; // 5 for KeyTree, 4 for ItemList
int num_elements ; // Number of elements in this KeyTree
Item[num_elements] items; // List of elements
Python pseudocode for this construct for a valid KeyTree is shown below:
keytree = clkeytree([
clitemlist([clstr("Connections\0")]),
clitemlist([clstr("Client\0")]),
clitemlist([clstr("ProcessId\0", 0x1234)]),
clitemlist([clstr("Study\0"), study]),
])
Above, we see a KeyTree with a key of Connections.Client.ProcessId with value of 0x1234, as well as a key of study with a value of study (which would be defined elsewhere). The key feature here is that the KeyTree assumes that each of its elements is an ItemList.
One component of the traversal of the the KeyTree is shown below:
List.dll
.text:2300447A 024 mov eax, [esi+14h] // Esi - KeyTree struct
.text:2300447D 024 test eax, eax // Eax - first ItemList in the KeyTree
.text:2300447F 024 jz loc_2300461F
.text:23004485 024 lea this, [eax+14h] // Retrieve `next value` from the ItemList
.text:23004488 024 call ds:ATL::CSimpleStringT<char,1>::operator char const *(void)
This snippet shows the beginning of the retrieval of the value in the first element of the first itemlist in a KeyTree. This code assumes that the first element of a KeyTree is an itemlist. If the first element of the KeyTree is a string data structure, for instance, the dereference at 0x23004485 doesn’t necessarily point to a valid memory address. Passing an invalid address to the function at 0x23004488 will cause a crash of Neuroworks, resulting in a denial-of-service condition. For example with pseudocode, replacing the valid pseudocode above, will trigger this vulnerability.
keytree = clkeytree([
clstr('A' * 4)
])
(610.880): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for c:\Neuroworks\List.dll -
eax=05091ff8 ebx=04f84f68 ecx=0509200c edx=020b1078 esi=0508ffe8 edi=0000000b
eip=786d540c esp=0012f7ec ebp=00450828 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
mfc90+0xf540c:
786d540c 8b01 mov eax,dword ptr [ecx] ds:0023:0509200c=????????
2017-07-15 - Vendor Disclosure
2017-10-06 - Vendor Acknowledged
2018-05-31 - Public Release
Discovered by Cory Duplantis of Cisco Talos.